The scripts natively support Windows 10 feature updates installation on 32-bit and 64-bit client computers that use Symantec Endpoint Encryption and Symantec Encryption Desktop. The scripts are provided as an example and may require modification for a specific environment.

The current implementation is not suitable for Opal hardware encrypted drives.

Resolution:

Upgrade scripts overview

Symantec provides the preparatory script prepare.cmd that you can find under the Download Files section below. You add this script to Patch Management Solution software update policy distribution package. When an endpoint receives the policy with the package, the preparatory script does the following:

Detects the installed encryption product.

Facilitates generation and usage of required artifacts:

setupcomplete.cmd
This script is executed at the end of the upgrade process to register the components of an encryption product and finalize Windows configuration.

SetupConfig.ini
These configuration settings for Windows 10 feature updates installation are generated in the package directory. These settings provide Windows setup with the information about the location of encryption drivers.

Folder with encryption drivers

Copies the required encryption drivers from the Windows System32 folder to the temporary folder (DRV) that is provided to Windows setup using the ReflectDrivers parameter.

Note that you can use the script prepare.cmd for encrypted and non-encrypted systems. If no encryption product is found, RegisterSoftware.reg is not created and setupcomplete.cmd is generated only with the commands required to complete Windows 10 feature update installation.

Create and configure a software update policy as described in DOC9422, and perform the additional steps during the process:

After you have copied an appropriate ISO file to the policy distribution package location (step 7.5), copy and paste the preparatory script prepare.cmd to this package location.
Repeat this procedure for all packages that are involved in the feature updates installation on your encrypted Windows 10 systems.

After you have added all the required ISO files and preparatory scripts to the policy distribution package location (step 8), modify the update(s) command line(s) as follows:

On the Software Update Policy page, on the Advanced tab, under Command Line, click the command line.

On the Command-line Options page, click Custom, and then after swuenv.bat, add the command for prepare.cmd execution (i.e., swuenv.bat && call prepare.cmd &&).

After Windows 10 feature updates installation, encryption software is registered in the system using the following entries in RegisterSoftware.reg (the actual entries depend on the encryption product identified on the endpoint):

Customizations

You can use the following customization options to address specifics of your environment:

Note: Symantec recommends that you verify and test driver and OS compatibility during the due diligence process.

To provide custom drivers, create the DRV directory in the package(s) location(s) on the Notification Server computer and place the required drivers with appropriate architecture.
The contents of this folder will be copied to the staging location on the endpoint and its path will be used for the ReflectDrivers parameter.

Note: Use only the minimal required set of encryption drivers. Unnecessary drivers may lead to unpredictable results during the upgrade process.

Provide a custom RegisterSoftware.reg file if you require additional registry manipulations (e.g., non-standard registration of an encryption product, etc.).Note: The custom file will not be executed if no drive encryption is detected on the system.

Provide a custom setupcomplete.cmd if you need to perform additional steps after Windows 10 feature updates installation.
The custom script must contain commands from the sample file:

Append additional commands to the end of the file.Note: The setupcomplete.cmd script is executed at the first Windows 10 start after OOBE on both encrypted and non-encrypted Windows 10 systems.

Provide custom SetupConfig.ini file if you need to customize the process of new Windows 10 version installation.
Actual Windows 10 upgrade process will be executed with the command line “Setup.exe /ConfigFile <path to SetupConfig.ini>”
For more information, see Windows Setup Automation Overview